Former hackers protect NSW's critical infrastructure

State government contractor turns black hats white.

In a fortified, bulletproof facility in North Sydney, security engineers who once skirted the limits of hacking laws now work to catch those attacking NSW’s state critical infrastructure.

The engineers were talented hackers from Brazil, India, Russia and the former Soviet states, some of whom breached networks while honing their security skills.

Now they spend hours on end pouring over monitors that collect data feeds from networks across all but a handful of the state’s utility companies.

Despite a lack of university degrees and formal security certificates, these young men were hired by managed service provider Earthwave, which counts government bodies as half its clients.

The former hackers -- experienced exploit writers and systems poppers -- are now charged with recruiting new blood for Earthwave, and seem to view education portfolios as padding.

Instead, Earthwave's recruitment process is designed to draw out technical prowess. In early rounds of hiring, hopefuls have to beat a live capture-the-flag hacking challenge to demonstrate their skills and progress to further challenges.

Recruiters appear to have looser restrictions than those publicised by some high-profile security firms.

While it doesn't employ current black hats anywhere in the business, all job vacancies are open to former hackers without criminal records.

Convicted, former hackers are barred from the security operations centre (SOC), but may work in R&D, strategy or sales roles.

One Earthwave hire was a skilled security researcher from India, where he had scratched out a living by reselling his neighbour’s hacked wireless connection.

Another -- who works in the sales and strategy areas and not in the security operations centre (SOC) -- hacked the Australian Taxation Office in the early 90s and was later arrested and jailed.

The former hacker, who could not be named, said the security infrastructure protecting the ATO was then almost non-existent.

"It was just too easy ... We saw a few classified things, but we didn't break anything. It was just incredible to us to see how easy it was to get around."

Others working behind the bomb-proof walls of Earthwave’s multi-million-dollar SOC shared similar tales.

Many had learnt security the same way: as geeky school kids fascinated and obsessed with exploring the seemingly limitless freedom that the internet afforded.

At least two Earthwave staff members were former colleagues in hacking gangs of the 1990s.

"I learnt much more doing my own research in the dead of night than I did in university," said one, on the condition of anonymity. "I teach myself still rather than go to courses."

According to Earthwave's chief executive officer Carlo Minassian the former hackers' experience in reverse engineering and writing malicious code helped them to identify complexity in what others may see as mundane attacks against customer networks.

"You need a hacker to catch a hacker," he said. “These guys from India and Brazil, they have to work damn hard to make money and they are really very good."

Minassian founded Earthwave more than 12 years ago with his brother and two friends who were qualified CISSPs at the time, after his family fled Iran during the Iraq invasion of the 1980s.

About half of the 40 SOC engineers were overseas hires who immigrated to Sydney to work for Earthwave. Minassian and another local engineer who runs the technical interviews said foreign hackers were generally more skilled and worked harder than their Australian counterparts.

Hacking laws may be more relaxed, or perhaps even non-existent where some staff were hired. But Minassian insisted that every effort was made to ensure candidates were not engaged in illegal hacking.

"It is very important that the people we are hiring are not active hackers. We suss them out over many meetings -- they are sometimes naive and will often easily give up what they are doing."

Engineers working within the SOC must first pass “comprehensive” background checks by the Department of Defence and hold appropriate clearances that allow them to access sensitive government information.

Earthwave also has several staff who perform research and development from their home countries and must pass what the company claimed were rigorous audits by staff.

They were denied direct access to sensitive customer SOC data and were instead fed sanitised feeds to help engineers correlate data sets and identify potential threats.

But candidates could not work within the SOC if they had criminal records or were found to have maintained blackhat activities. Minassian said those people were sniffed out during interviews.

Investigations

On a large monitor pinned to the front wall of the SOC, coloured lines envelop a map of the world linking dozens of countries to Sydney IT networks. Each line illustrates IP addresses that were attacking Earthwave customers.

Using intelligence gathered on the attacks, engineers could hone in on physical locations of the offending machines. That information could then be relayed to police.

Read on to page two for how Earthwave investigated attacks by staff and former staff of McDonald's and a Federal Government agency.

Take part in discussions with comments on blogs, news and reviews; receive all the latest industry news directly to your inbox and tailor make your information specifically to your interests. Join now for free.

Please check your email

A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.

If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.